⚠️ Advanced Solution - For most use cases, see WALLIX_Simple_Integration (recommended)
Complete production-ready solution for integrating External Secrets Operator (ESO) with WALLIX Bastion privileged access management.
External Secrets Operator synchronizes secrets from WALLIX Bastion into Kubernetes/OpenShift, enabling:
- ✅ Centralized Secret Management - Store all privileged passwords in WALLIX
- ✅ Automatic Synchronization - Secrets auto-sync to Kubernetes/OpenShift
- ✅ Password Rotation - Automatic updates when passwords change in WALLIX
- ✅ Security Compliance - Maintain audit trails and access controls
- ✅ GitOps Compatible - Declare secrets in git without exposing values
- ✅ Multi-Provider Support - Integrate with Vault, AWS, Azure, and more
For maximum security hardening, consider combining this solution with WALLIX AAPM:
- 🛡️ Container-Level Security - Secure applications directly at runtime
- 🔑 Secret Zero Protection - Eliminate initial bootstrap credentials exposure
- 📊 Application Monitoring - Real-time visibility into application access patterns
- 🚫 Zero-Trust Architecture - Remove hard-coded secrets from containers entirely
- 🔄 Dynamic Credential Injection - Just-in-time credential provisioning
This approach provides defense-in-depth security for your containerized applications while maintaining the flexibility of external secret management.
| Document | Description | Time Required |
|---|---|---|
| INSTALLATION.md | Complete installation & quick start guide | 30-60 min |
| TROUBLESHOOTING.md | Common issues and solutions | As needed |
| scripts/README.md | Automation scripts documentation | Reference |
Use External Secrets Operator if:
- ✅ You already have ESO installed in your cluster
- ✅ You manage multiple secret providers (Vault, AWS Secrets Manager, Azure Key Vault, etc.)
- ✅ You have an experienced Kubernetes team
- ✅ You need advanced features (ClusterSecretStore, PushSecret, multi-tenancy)
- ✅ You want automatic secret rotation with external systems
Use Simple Integration if:
- ❌ You only need WALLIX Bastion integration
- ❌ You want a 5-minute setup with no dependencies
- ❌ You prefer simple init containers or CronJobs
- ❌ You're new to Kubernetes/OpenShift
See INSTALLATION.md for the complete step-by-step installation guide.
- Install ESO - Deploy External Secrets Operator via Helm
- Configure WALLIX - Create API credentials and SecretStore
- Create ExternalSecret - Sync passwords from WALLIX to Kubernetes
- Verify - Test the integration
- ESO v0.20+ uses API version
v1(notv1beta1) - Certificate validation required (no
insecureSkipVerifyin v0.20+) - Use DNS hostname instead of IP address for WALLIX URL
External_Secrets_Operator/
├── README.md # This file
├── QUICKSTART.md # 15-minute quick start
├── INSTALLATION.md # Complete installation guide
├── TROUBLESHOOTING.md # Troubleshooting guide
├── examples/ # YAML configurations
│ ├── wallix-secretstore-official.yaml
│ ├── deployment-example.yaml
│ ├── configmap-example.yaml
│ ├── init-container-wallix.yaml
│ └── cronjob-wallix-sync.yaml
├── scripts/ # Automation scripts
│ ├── README.md # Scripts documentation
│ ├── test-connection.sh # Test WALLIX API
│ ├── validate-secrets.sh # Validate ExternalSecrets
│ ├── monitor.sh # Real-time monitoring
│ ├── cleanup.sh # Safe cleanup
│ └── generate-readme.sh # Generate docs
└── OLD/ # Archived installation attemptsConnects ESO to WALLIX Bastion using webhook provider:
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
name: wallix-bastion
spec:
provider:
webhook:
url: "https://WALLIX-URL/api/targetpasswords/checkout/{{ .remoteRef.key }}"
method: GET
headers:
X-Auth-User: "{{ .authUser }}"
X-Auth-Key: "{{ .authKey }}"
secrets:
- name: authUser
secretRef:
name: wallix-api-credentials
key: api-user
- name: authKey
secretRef:
name: wallix-api-credentials
key: api-key
result:
jsonPath: "$.password"Key Points:
- Both
X-Auth-UserandX-Auth-Keyheaders required - URL template uses
{{ .remoteRef.key }}placeholder - JSONPath extracts password from API response
- Supports self-signed certificates via
caBundle
Define which WALLIX passwords to sync:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h # Sync frequency
secretStoreRef:
name: wallix-bastion
target:
name: db-password-secret # Kubernetes secret name
creationPolicy: Owner
data:
- secretKey: password # Key in secret
remoteRef:
key: admin@postgres@prod # WALLIX targetWALLIX Target Format: account@target@domain
| Script | Purpose | Usage |
|---|---|---|
| test-connection.sh | Test WALLIX API | ./scripts/test-connection.sh |
| validate-secrets.sh | Validate sync status | ./scripts/validate-secrets.sh |
| monitor.sh | Real-time monitoring | ./scripts/monitor.sh |
| cleanup.sh | Safe cleanup | ./scripts/cleanup.sh --dry-run |
| generate-readme.sh | Generate docs | ./scripts/generate-readme.sh |
See scripts/README.md for complete documentation.
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: multi-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: wallix-bastion
target:
name: application-secrets
creationPolicy: Owner
data:
- secretKey: db-password
remoteRef:
key: admin@postgres@prod.local
- secretKey: api-key
remoteRef:
key: apiuser@external-api@prod.local
- secretKey: ssh-key
remoteRef:
key: deploy@gitserver@prod.localapiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: app
image: myapp:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-password-secret # From ExternalSecret
key: passwordMore examples: examples/
# Test WALLIX connection
./scripts/test-connection.sh
# Validate all ExternalSecrets
./scripts/validate-secrets.sh
# Monitor in real-time
./scripts/monitor.sh
# Check specific secret
kubectl get externalsecret my-secret
kubectl get secret app-credentials -o yaml| Issue | Quick Fix |
|---|---|
| SecretStore not ready | ./scripts/test-connection.sh |
| ExternalSecret not syncing | Check format: account@target@domain |
| Certificate errors | Add caProvider with CA certificate |
| 401/403 errors | Verify both auth headers present |
Complete guide: TROUBLESHOOTING.md
| Feature | ESO (Advanced) | Simple Integration |
|---|---|---|
| Setup Time | 30-60 min | 5 min ⚡ |
| Dependencies | Helm, ESO | None (curl, jq) |
| Complexity | High | Low |
| Multi-Provider | ✅ Yes | ❌ WALLIX only |
| Auto-Refresh | ✅ Built-in | Manual/CronJob |
| Best For | Existing ESO users | Quick WALLIX integration |
# Safe cleanup with prompts
./scripts/cleanup.sh
# Dry run
./scripts/cleanup.sh --dry-run
# Complete uninstall
./scripts/cleanup.sh --uninstall- External Secrets Operator Docs - Official documentation
- Webhook Provider Guide - Webhook details
- WALLIX API Docs - WALLIX API reference
- Simple Integration - Recommended for most cases
- ✅ Use ClusterSecretStore for shared credentials across namespaces
- ✅ Set
refreshInterval: 1h(balance freshness vs API load) - ✅ Use caBundle for production (not
insecureSkipVerify) - ✅ Monitor sync status with
./scripts/monitor.sh - ✅ Backup before cleanup -
kubectl get ... -o yaml - ✅ Test changes with
--dry-runfirst - ✅ Document WALLIX targets - Maintain inventory
-
Documentation
- INSTALLATION.md - Complete setup guide
- TROUBLESHOOTING.md - Common issues
- scripts/README.md - Scripts guide
-
Diagnostics
./scripts/test-connection.sh # Test WALLIX ./scripts/validate-secrets.sh # Validate setup ./scripts/monitor.sh # Check status
-
Community
- ✅ Complete INSTALLATION.md (30-60 min)
- ✅ Review examples/ for your use case
- ✅ Set up monitoring:
./scripts/monitor.sh - ✅ Configure alerts for sync failures
- ✅ Plan backup and DR strategy
- ✅ Document your WALLIX target inventory
💡 Reminder: For simpler WALLIX-only integration, see WALLIX_Simple_Integration - 5-minute setup, no dependencies!